In today’s tech-dominated world, as more digital devices permeate the practice of medicine, they simultaneously create more opportunities for HIPAA law violations. Telling somebody too much about a patient, walking away from an unlocked computer, or even trying to catch up on a backlog of EHRs on the weekend could all put you on the wrong side of the law. Watch out for these 5 actions that could leave you or your employer facing some hefty fines.
Forwarding PHI to a personal email account
Physicians frequently do this with good intentions, but they end up breaking HIPAA law in the process. They want to catch up on a backlog of work, or they don’t have enough storage space in their corporate-issued email account. But doing so violates patient protection laws. It could also violate your employer’s in-house privacy policies, resulting in you being a jobless doctor. The same goes for any information — digital or printed — that you might remove from your hospital or employer’s office. Removing PHI from a healthcare institution is an almost guaranteed way to run afoul of HIPAA law. If you must access PHI from home, ask your employer to set you up with remote access to work servers. And never store any patient information locally to your personal device.
Walking away from paperwork or a computer
Walk down any hospital corridor, and you’ll likely see COWs (computers on wheels) and WOWs (workstations on wheels) everywhere you look. You might even be using a tablet or laptop to log patient data. All of these devices could be HIPAA time-bombs waiting to blow. All it takes is you walking away from one and leaving patient data visible on the screen. The same goes for any printed materials. Like computers and other devices, these can’t be left unattended. Talk to your IT department. They’ll likely advise you to always log out of a COW or WOW before walking away, and to always lock any of your other password-protected devices. Keep a close eye on those paper records, shredding whatever you don’t need.
Disclosing patient information to an unauthorized person
This one is especially dangerous because the implications aren’t so obvious. Sometimes, an accidental disclosure takes the form of information given over the phone to a family member (or someone claiming to be one) who isn’t authorized to receive it. Accidental disclosures can also happen during face-to-face interactions. For example, perhaps a family member, who isn’t supposed to be present, arrives at the hospital and you update them on the patient’s status. HIPAA law requires written consent from the patient or the patient’s designated representative to disclose information. The patient or the representative also has the right to determine who can receive what information. If you aren’t sure of your employer’s disclosure consent policy, check with whomever is responsible for compliance.
Removable storage devices
It might behoove healthcare organizations to ban USB memory devices. In fact, some healthcare IT departments will even go so far as to prevent networked computers from recognizing them. And for good reason. Let’s say you put some PHI on one of these drives and lose it. Even if you never took it out of the hospital, if it were to fall into the hands of any unauthorized person, you could be looking at a HIPAA violation. The same thing applies to any employer-issued devices, such as tablets, and laptops. Do not take these outside of the office. In many cases, taking them outside of your employer’s walls is a violation. Also, think of the potential damage that could be done if your laptop or tablet were stolen. Social security numbers fetch a pretty penny on the black market.
Poor password management
We’re all guilty of doing this. Our password is expiring, so we stick a 1 at the end of it, or maybe an exclamation point. Maybe you’re using the same password for work-related logins and personal logins. It could be that you can’t remember your passwords, so you’ve written them on a piece of paper that you’ve buried not so discreetly in your desk (or God forbid, stuck to your computer monitor). In a pinch, perhaps you’ve shared your credentials with a colleague. All of these things need to stop immediately. Remember that in many instances, regulators don’t assess fines for HIPAA violations based on the instance, but on the number of patients affected. So, hypothetically, what might the fine look like if someone obtained access to, say, every patient who’s been to your hospital in the past 20 years, because your password is password123? Best not to find out.
Here are 5 ways you might be putting yourself at risk of a HIPAA violation without realizing it:
- Forwarding PHI to a private email account or taking PHI home with you
- Leaving an unlocked computer or paperwork unattended
- Talking too much to a patient’s family without knowing who can know what
- Using removable storage devices, such as USB drives, or taking employer-issued laptops or tablets home with you
- Using weak passwords or sharing passwords with colleagues